Product & Application Security - Associate Director

Associate Director — Product & Application Security (EMEA)

Role Purpose: Lead and scale the Product & Application Security program for our products portfolio across EMEA. Own secure-by-design practices from architecture and threat modeling through DevSecOps in CI/CD, vulnerability management, and coordinated disclosure—enabling developer velocity without compromising risk posture. Align to our System Development & Application Security standards and reference patterns.

• 
  
• Establish EMEA-fit Secure SDLC guardrails (requirements → release gating) and publish reference architectures for authentication/authorization, secrets, cryptography, logging, and privacy.
  
• Embed DevSecOps controls in pipelines (SAST, SCA, secret scanning, IaC/K8s policy-as-code, SBOM generation, artifact signing and provenance) with measurable pass/fail criteria.
  
• Stand up product vulnerability management with SLA tiers, risk-based triage, and executive reporting.
  
• Launch an EMEA secure coding enablement track and developer champions program.
  
• Demonstrate compliance readiness for GDPR/NIS2 and AI-related controls applicable to product features.
  

• 
  
• Own AppSec architecture and threat modeling for high-risk services; review designs and third-party components.
  
• Define and enforce pipeline security controls; partner with Engineering to shift-left testing and automate gates.
  
• Govern SBOM standards and software supply-chain risk (open-source hygiene, provenance, signing).
  
• Lead vulnerability management and remediation orchestration across squads; partner with SRE for runtime hardening.
  
• Chair the Product Security Review Board for go-live exceptions and risk acceptance.
  
• Collaborate with Privacy/Legal on data protection by design; align with GRC on policy and control mapping.
  
• Mentor an EMEA AppSec team; provide matrix leadership across GDC and product squads.
  

• 
  
• 10+ years in Application/Product Security; 3+ years leading programs at scale.
  
• Expertise with OWASP ASVS, threat modeling (STRIDE/ATT&CK), API security, and cloud-native architectures (Azure/AWS).
  
• Hands-on with SAST/SCA/DAST, IaC/K8s policy (e.g., OPA), container scanning, and SBOM tooling.
  
• Proven stakeholder management with Engineering, Product, and Platform teams.
  
• Relevant certifications such as CSSLP, CISSP, or CISM (preferred).
  

• 
  
• Experience with AI/ML product risks (prompt injection, model supply chain, dataset governance).
  
• Familiarity with GDPR, NIS2, and secure disclosure practices.
  

• 
  
• Builds passing security gates (%).
  
• MTTR for critical vulnerabilities.
  
• Coverage of threat models and reference patterns.
  
• SBOM completeness and policy adherence. xcfaprz
  
• Exception trend and closure rate.